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(57) [Abstract] 
[Problem to be Solved] 

To allow elimination of a bad packet by filtering 
using an existing area of the packet without adding an area 
to the data format of the packet* 
[Solution] 

An IP header check unit 11 of a gateway 1 allows only 
a good communication packet to pass through, based on TTL 
(Time To Live) information and IP address information that 
are included in the IP header* A TTL filtering unit 21 of 
the IP header check unit 11 allows only a communication 
packet with valid TTL information in the IP header, to pass 
through. A validity check unit 21a checks validity based 
on the condition that the value of the TTL of a passing 
packet is within the range of the initial value determined 
in advance in a group, to a value (the initial value minus 
the maximum number of passing gateways) . A filtering 
processor 21b gives a communication packet with TTL 
information not satisfying the given condition, to a packet 
discard unit 12. 
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[Claims for the Patent] 
[Claim 1] 

An illegal access prevention method used in a 
communication network including a plurality of branch 
networks connected by connecting devices, in which one or 
more logical groups are formed, to prevent illegal access 
in the logical group, 

wherein the method is characterized in that the 
initial value of the Time To Live information included in a 
communication packet, is set in advance at the time of the 
transmission, to a predetermined value as confidential 
information in the logical group, 

wherein the connecting device checks the validity of 
the Time To Live information when the communication packet 
passes therethrough, for the purpose of filtering of the 
packet passing in and out of the logical group. 
[Claim 2] 

The illegal access prevention method according to 
claim 1, characterized in that the Time To Live information 
includes information to be subtracted each time the packet 
passed through each of the connecting devices, 

wherein the initial value of the Time To Live 
information as confidential information, is set to a value 
exceeding the estimated maximum number of connecting 
devices through which the packet is supposed to pass, based 
on the network configuration, 

wherein, when the value of the Time To Live 
information of the passing packet is out of the range of 
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the initial value to the value {the initial value minus the 
maximum number of connecting devices through which the 
packet is supposed to pass), the connecting device 
determines that the packet is a bad packet* 
[Claim 3] 

The illegal access prevention method according to 
claim 1 or 2, characterized by further using filtering 
based on IP (Internet Protocol) address, 
[Claim 4] 

The illegal access prevention method according to any 
one of claims 1 to 3, characterized by further using 
filtering based on MAC (Media Access Control) address. 
[Claim 5] 

The illegal access prevention method according to any 
one of claims 1 to 4, characterized in that the bad packet 
is discarded by the connecting device. 
[Claim 6] 

An illegal access prevention system used in a 
communication network including a plurality of branch 
networks connected to each other, in which one or more 
logical groups are formed, 

wherein the system is characterized by comprising: 
a terminal device connected to the branch network, 
having Time To Live information setting means for setting 
the initial value of the Time To Live information included 
in a communication packet at the time of the transmission 
of the communication packet, to a predetermined value as 
confidential information in the logical group set in 
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advance in the communication network; and 

network connecting means having validity check means 
for checking the validity of the Time To Live information 
of the communication packet passing therethrough, and 
filtering processing means for filtering the packet passing 
in and out of the logical group based on the check result 
of the validity check means, 

wherein the network connecting means connects the 
plurality of branch networks while preventing illegal 
access in the logical group. 
[Claim 7] 

The illegal access prevention system according to 
claim 6, characterized in that the Time To Live information 
includes information to be subtracted each time the packet 
passed through each of the network connecting means, 

wherein the Time To Live information setting means 
includes means for setting the initial value of Time To 
Live information as confidential information, to a value 
exceeding the estimated maximum number of network 
connecting means through which the packet is supposed to 
pass, based on the network configuration, 

wherein the validity check means includes means for 
determining that the packet is a bad packet, when the value 
of the Time To Live information is out of the range of the 
initial value to the value (the initial value minus the 
maximum number of network connecting means through which 
the packet is supposed to pass) . 
[Claim 8] 
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The illegal access prevention system according to 
claim 6 or 7 , characterized in that the network connecting 
means further includes IP address filtering means for 
performing filtering based on IP (Internet Protocol) 
address . 
[Claim 9] 

The illegal access prevention system according to any 
one of claims 6 to 8, characterized in that the network 
connecting means further includes MAC address filtering 
means for performing filtering based on MAC (Media Access 
Control) address. 
[Claim 10] 

The illegal access prevention system according to any 
one of claims 6 to 9, characterized in that the network 
connecting means includes packet discard means for 
discarding the bad packet prevented from passing through by 
filtering . 

[Detailed Description of the Invention] 
[0001] 

[Field of the Invention] 

The present invention relates to preventing illegal 
access in routers, gateways, or other devices that form a 
communication network system. More particularly, the 
present invention relates to an illegal access prevention 
system suitable for communication network systems using 
TCP/IP (Transmission Control Protocol/Internet Protocol) as 
a communication protocol. 
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[0002] 
[Prior Art] 

A communication network system, for example, a LAN 
(Local Area Network) system, is formed by connecting a 
plurality of branch LANs through at least either routers or 
gateways. In such a communication network system, TCP/IP 
is often used as a communication protocol. 
[0003] 

Some networks are physically connected, on which 
logical grouping is done according to necessity. In such a 
case, communication takes place mostly within a logical 
group, and communication with other groups may not be 
necessary or is desired to be eliminated. 
[0004] 

In such a case, in the routers, gateways, or other 
devices that connect the branch LANs, the MAC {Media Access 
Control) addresses or IP (Internet Protocol) addresses of 
packets are identified to prevent a packet of another group 
from passing through, in order to prevent an illegal access 
packet such as a multicast packet, an abnormal packet, or a 
packet trying to illegally access a terminal of another 
group, from entering into and going out of the specific 
group . 
[0005] 

As described above, the function of identifying the 
MAC addresses or IP addresses of packets to prevent a 
packet of another group from passing through, is called MAC 
address filtering function for performing filtering based 
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on MAC address, or called IP address filtering function for 
performing filtering based on IP address. 
[0006] 

In other words, the filtering based on MAC address or 
IP address is performed in the following manner* The MAC 
address or IP address that allows a packet to pass through, 
is registered in advance in the router or gateway. The 
router or gateway checks the MAC address or IP address of 
the received packet against the registered MAC address or 
IP address, allowing only the packet with the correct MAC 
address or IP address to pass through. In this way, the 
passing of the illegal access packet is prevented by the 
router or gateway. 
[0007] 

In many cases, the MAC address is physically set to a 
terminal device (hereinafter simply referred to as 
"device"} and is unlikely to be easily changed. However, 
there exists a multicast address in the MAC layer address 
to allow a multicast packet to pass through all networks, 
causing confusion with the multicast packet. In order to 
prevent such confusion, IP address filtering is used for 
filtering based on IP address in the network layer above 
the MAC layer. 
[0008] 

However, the IP address, which is necessary for the 
TCP/IP protocol, is logically set to the device and can be 
relatively easily changed. For this reason, when a device 
not belonging to a specific group, illegally sets the IP 
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address of a terminal of the group to try to enter the LAN 
system in the same group, the illegal access packet may not 
be reliably detected by IP address filtering. 
[0009] 

To overcome the above problem, Japanese Patent 
Application Laid-open No. H7 (1995) -170279 discloses a 
technology for eliminating an illegal address packet 
without using IP address filtering. 
[0010] 

In other words, the system disclosed in JP-A No. 
H7 { 1995) -170279 uses, in addition to the conventional 
bridge circuit that accommodates a plurality of branch LANs 
and performs filtering based on MAC address, a bridge 
circuit having a function for registering the group number 
of each branch LAN, a function for adding the group number 
to a packet at the time of the transmission, and a function 
for checking the group number added to the packet against 
the registered group number at the time of receiving the 
packet . 
[0011] 

That is, the system sets the group number to each of 
the LANs accommodated in each of the bridge circuits, and 
adds the group number to a packet to be transmitted to a 
core bus to transfer data between LANs in the same group. 
When the packet is received from the core bus, the system 
performs filtering based on the group number added to the 
packet at the time of the transmission, before performing 
filtering based on MAC address, which is the filtering 
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function the bridge circuit originally performed, 
[0012] 

In other words, in the system formed by connecting a 
plurality of branch LANs to which a plurality of terminals 
are connected, to a core bus through a plurality of bridge 
circuits, the plurality of LANs, which are respectively 
accommodated in the plurality of bridge circuits, are 
grouped into a plurality of independent groups. The group 
number of each branch LAN is registered in advance in each 
bridge circuit in which the branch LAN is accommodated. 
When a packet is transmitted from a terminal to another 
branch LAN in the same group, the bridge circuit adds to 
the packet the group number of the branch LAN to which the 
terminal belongs, and transmits the packet along with the 
group number to the core bus. Upon receiving the packet 
through the core bus, the bridge circuit identifies the 
group number added to the received packet, and checks the 
received group number against the registered group number. 
Only when the two group numbers are identical, the bridge 
circuit applies the MAC address filtering function to the 
received packet, and transmits the packet to the branch LAN 
accommodated in the bridge circuit, 
[0013] 

In this way, it is possible to prevent an illegal 
access packet, such as a multicast packet in the MAC layer 
of LAN, an abnormal packet, or a packet illegally accessing 
a terminal of another group to communicate with a terminal 
of another group, by checking the difference of the group 
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numbers . 
[0014] 

[Problems to be Solved by the Invention] 

As described above, the system disclosed in JP-A No. 
B7 (1995) -170279 sets the group number for each of the 
plurality of branch LANs accommodated in each of the bridge 
circuits, and adds the group number to a packet to be 
transmitted to a core bus to transfer data between LANs in 
the same group. Upon receiving the packet from the core 
bus, the system performs filtering based on the group 
number added to the packet at the time of the transmission, 
before performing filtering based on MAC address which is 
the filtering function the bridge circuit originally 
performed - 

[0015] 

With the system of JP-A No. H7 { 1 9 95 } -17 02 7 9 , it is 
possible to prevent an illegal access packet such as a 
multicast packet in the MAC layer of LAN, an abnormal 
packet, or a packet illegally accessing a terminal of 
another group to communicate with a terminal of another 
group, by checking the difference of the group numbers. 
[0016] 

However, it is necessary to add a group number area 
to the packet data format, in order to enable filtering 
disclosed in JP-A No. H7 (1995) -170279 to be performed by 
registering the group number to each bridge circuit, adding 
the group number to a packet at the time of the 
transmission, and upon receiving the packet, checking the 
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group number of the received packet against the registered 

group number. 

[0017] 

However, in many cases the LAN packet includes a 
header part in the physical layer, a header part in the 
transport layer, and the like, in which the data format of 
a packet is precisely defined . Thus, in the LAN system in 
which the packet data format is defined, it is often 
difficult to add and keep an area to store the group number 
in the existing packet, preventing the technology disclosed 
in JP-A No* H7 (1995) -170279 from being performed. 
[0018] 

The present invention is made in light of the above 
described circumstances, and has an object to provide an 
illegal access prevention method and system that allow 
filtering of a bad packet by using an existing area of the 
packet, in order to effectively eliminate the bad packet 
without adding an area to the data format of the packet. 
[0019] 

[Means for Solving the Problems] 

In order to achieve the above object, according to a 
first aspect of the present invention, there is provided an 
illegal access prevention method used in a communication 
network including a plurality of branch networks connected 
by connecting devices, in which one or more logical groups 
are formed, to prevent illegal access in the logical group. 
The illegal access prevention method sets in advance the 
initial value of the Time To Live information included in a 
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communication packet at the time of the transmission, to a 
predetermined value as confidential information in the 
logical group. The connecting device checks the validity 
of the Time To Live information when the communication 
packet passes therethrough, for the purpose of filtering of 
the packet passing in and out of the logical group, 
[0020] 

The Time To Live information may include information 
to be subtracted each time the communication packet passes 
through each of the connecting devices* The initial value 
of the Time To Live information as confidential information 
may be set to a value exceeding the estimated maximum 
number of connecting devices through which the packet is 
supposed to pass, based on the network configuration. When 
the value of the Time To Live information is out of the 
range of the initial value to the value (the initial value 
minus the maximum number through which the packet is 
supposed to pass) , the connecting device may determine that 
the packet is a bad packet. 
[0021] 

The illegal access prevention method may further use 
filtering based on IP address. 
[0022] 

The illegal access prevention method may further use 
filtering based on MAC address, 
[0023] 

The illegal access prevention method may discard the 
bad packet by the connecting device. 
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[0024] 

According to a second aspect of the present invention, 
there is provided an illegal access prevention system used 
in a communication network system including a plurality of 
branch networks connected to each other, in which one or 
more logical group are formed* The illegal access 
prevention system includes: a terminal device connected to 
the branch network, having Time To Live information setting 
means for setting the initial value of the Time To Live 
information included in a communication packet at the time 
of the transmission, to a predetermined value as 
confidential information in the logical group set in 
advance in the communication network; and network 
connecting means having validity check means for checking 
the validity of the Time To Live information when the 
communication packet passes therethrough, and filtering 
processing means for filtering the packet passing in and 
out of the logical group based on the check result of the 
validity check means* The network connecting means 
connects the plurality of branch networks while preventing 
illegal access in the logical group. 
[0025] 

The Time To Live information may include information 
to be subtracted each time the communication packet passes 
through each of the network connecting means. The Time To 
Live information setting means may include means for 
setting the initial value of the Time To Live information 
as confidential information, to a value exceeding the 
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estimated maximum number of network connecting means 
through which the packet is supposed to pass, based on the 
network configuration. The validity check means may 
include means for determining that the packet is a bad 
packet when the Time To Live information is out of the 
range of the initial value to the value (the initial value 
minus the maximum number of network connecting means 
through which the packet is supposed to pass). 
[0026] 

The network connecting means may further include IP 
address filtering means for performing filtering based on 
IP address. 
[0027] 

The network connecting means may further include MAC 
address filtering means for performing filtering based on 
MAC address. 
[0028] 

The network connecting means may include packet 
discard means for discarding the bad packet prevented from 
passing through by filtering. 
[0029] 

According to the present invention, the illegal 
access prevention method and system are used in a 
communication network including a plurality of branch 
networks connected by connecting devices, in which one or 
more logical groups are formed, to prevent illegal access 
in the logical group. The illegal access prevention method 
and system set the initial value of the Time to Live 
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information included in a communication packet at the time 
of the transmission, to a predetermined value as 
confidential information in the logical group set in 
advance in the communication network. The connecting 
device checks the validity of the Time To Live information 
of the communication packet passing therethrough, for the 
purpose of filtering of the packet passing in and out of 
the logical group* This allows filtering of the bad packet 
based on the Time To Live information which is an existing 
area of the packet, enabling effective elimination of the 
bad packet without adding an area to the data format of the 
packet - 
[0030] 

[Embodiment of the Invention] 

Hereinafter, an embodiment of the present invention 
will be described with reference to the accompanying 
drawings . 

[0031] 

An illegal access prevention system according to an 
embodiment of the present invention is suitable for 
communication network systems using the TCP/IP protocol. 
In this embodiment, TTL which is an existing area in the IP 
header of the TCP/IP protocol, is used in filtering of a 
bad packet in order to effectively prevent illegal access 
of a communication packet with the existing data format of 
the communication packet kept unchanged. 
[0032] 

The IP header of a communication packet based on the 
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TCP/IP protocol includes a TTL area for storing TTL (Time 
To Live) information, TTL information indicates the time 
for which the communication packet can live in the network, 
namely, Time To Live, in the unit of second. With respect 
to the Time To Live measured by the unit of second, there 
may happen that the process time is less than one second or 
the process time is not measureable* In general, for 
example, each time a packet passes through each connecting 
device such as router or gateway, the value of the TTL 
information is subtracted by "1", When a communication 
packet with the TTL value "0" is detected, the 
communication packet is discarded as its Time To Live is 
determined to have expired. Such TTL information is 
provided in order to prevent occurrence of a packet being 
permanently undelivered and flowing in the network. In the 
TCP/IP protocol, the maximum value of TTL is "255 
(seconds)". In general, the number of routers, gateways, 
or other devices from a transmitting terminal to a 
receiving terminal, is estimated to be larger than the true 
value, for the purpose of preventing occurrence of the 
undelivered packet. In addition, the TTL value is 
generally set to quite a large value, because the 
communication packet is discarded at a time when 255 
seconds has elapsed, even if the value of the TTL has been 
set to the maximum value, 
[0033] 

In the present invention, the initial value of the 
TTL of a communication packet is determined in advance as 
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confidential information in a logical group. The maximum 
number of connecting devices, such as routers and gateways 
through which the packet is supposed to pass through from 
the transmitting terminal to the receiving terminal in the 
group, is also set in advance. The initial value of the 
TTL should be set to a value larger than the maximum number 
of connecting devices. In filtering of the packet, when 
the TTL value of the passing packet is in the range of the 
initial value of the TTL to the value (the initial value 
minus the maximum number of connecting devices through 
which the packet is supposed to pass), the packet is 
determined to be a normal packet. On the other hand, when 
the TTL value is out of the range, the packet is determined 
to be a bad packet, 
[0034] 

With such a configuration, it is possible to 
eliminate a bad packet transmitted from a bad terminal not 
belonging to a specific group to illegally access a 
terminal in the group by using the IP address of a terminal 
in the same group. 
[0035] 

Referring to Figs. 1 to 3, a description will be 
given of an embodiment of a network system including the 
illegal access prevention system according to the present 
invention based on the above described principle. 
[0036] 

Fig. 1 shows the configuration of the principal part 
of a gateway incorporating an illegal access prevention 
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system according to the present invention. 
[0037] 

In Fig. 1, a gateway 1 includes an IP header check 
unit 11 and a packet discard processor 12, 
[0038] 

The IP header check unit 11 checks IP header 
information, and checks packets passing from inside to 
outside, and from outside to inside, of the relevant group, 
allowing only a good communication packet to pass through 
while preventing a bad packet from passing. The packet 
discard processor 12 discards the bad packet prevented from 
passing through by the IP header check unit 11. 
[0039] 

The IP header check unit 11 includes a TTL filtering 
unit 21 and an IP address filtering unit 22. 
[0040] 

The TTL filtering unit 21 includes a validity check 
unit 21a and a filtering processor 21b. The TTL filtering 
unit 21 checks the validity of the TTL information in the 
IP header, allowing only the communication packet with 
valid TTL information as the TTL information, to pass 
through, while preventing the communication packet with 
invalid TTL information from passing. 
[0041] 

The validity check unit 21a checks the validity of 
the TTL information based on whether the TTL information in 
the IP header of the passing communication packet satisfies 
the given conditions. Of the communication packets passing 
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in and out of the logical group, the filtering processor 
21b allows only the communication packet with the TTL 
information satisfying the given conditions, to pass 
through, on the basis of the check result of the validity 
check unit 21a, while giving the communication packet with 
the TTL information not satisfying the given conditions, to 
the packet discard processor 12. 
[0042] 

As described above, in filtering based on TTL 
information in the gateway 1, the initial value of the TTL 
in each of the logical groups is determined in advance as 
confidential data. Further, the maximum number of 
connecting devices, for example, such as gateways and 
routers through which a packet is supposed to pass from the 
transmitting terminal to the receiving terminal, is also 
set in advance in each of the logical groups. Then, the 
initial value of the TTL and the maximum number of 
connecting devices through which the packet is supposed to 
pass, are registered in advance to the validity check unit 
21a of the gateway 1. In this way, the validity check unit 
21a checks validity based on whether the TTL value of the 
passing packet is in the range of the initial value of the 
TTL to the value (the initial value minus the maximum 
number of gateways through which the packet is supposed to 
pass). When the TTL value is in this range, the packet is 
determined to be a normal packet, or valid. On the other 
hand, when the TTL value is out of this range, the packet 
is determined to be a bad packet, or invalid. 
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[0043] 

The IP address filtering unit 22 allows communication 
packets from the outside of the logical group to the inside 
thereof, as well as communication packets from the inside 
of the logical group to the outside thereof, to pass 
through based on the IP address information in the IP 
headers of the packets. The IP address filtering unit 22 
prevents communication packets with other IP address 
information from passing, and gives the communication 
packets to the packet discard processor 12. 
[0044] 

Fig. 2 shows a network system configured by using the 
gateway 1 shown in Fig. 1. In Fig. 2, an illegal access 
prevention system is configured by using a gateway having 
the existing filtering function, and a gateway having the 
filtering function according to the present invention shown 
in Fig. 1. 
[0045] 

The network system shown in Fig. 2 includes a first 
gateway 1, a second gateway 2, a first terminal 3, a second 
terminal 4, a third terminal 5, a first branch LAN 6, a 
second branch LAN 7, and a third branch LAN 8. The first 
terminal 3 and the second terminal 4 are connected to the 
first branch LAN 6, and the third terminal 5 is connected 
to the third branch LAN 8, The first branch LAN 6 and the 
second branch LAN 7 are connected by the second gateway 2, 
and the second branch LAN 7 and the third branch LAN 8 are 
connected by the second gateway 1. 
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[0046] 

The first and second gateways 1 and 2 transfer data, 
such as communication packets, between the second branch 
LAN 7 and the third branch LAN 8 and between the first 
branch LAN 6 and the second branch LAN 7, respectively. 
[0047] 

The first gateway 1 is a gateway having a 
communication packet filtering function based on the 
present invention shown in Fig. 1. In other words, the 
first gateway 1 has the communication packet filtering 
function based on TTL information according to the present 
invention, as well as the existing communication packet 
filtering function based on IP address. 
[0048] 

The second gateway is the existing gateway, having 
only the communication packet filtering function based on 
IP address. 
[0049] 

It is assumed that the second terminal 4 and the 
third terminal 5 are members of the same group, and that 
the first terminal 3 does not belong to this group. 
[0050] 

In this case, for example, in the group of the 
terminals 4 and 5, it is assumed that the initial value of 
the TTL is set to "5" as confidential data. Further r the 
maximum number of connecting devices, namely, gateways 
through which a packet is supposed to pass, is "2" with 
gateways 1 and 2. These values are set in advance to the 
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validity check unit 21a of the gateway 1, 
[0051] 

The terminal 3 not belonging to the group does not 
know the initial value of the TTL determined between the 
terminals 4 and 5 in the group* Thus, it is assumed that 
the initial value of the TTL is set to "32" in the terminal 
3. Referring to the flowchart shown in Fig. 3, a 
description will be given of the operation of the terminal 
4 transmitting a communication packet to the terminal 5, as 
well as the operation of the terminal 3 trying to illegally 
access the terminal 5 with the IP address of the terminal 4 
by pretending to be the terminal 4 not connected to the 
branch LAN 6. The flowchart of Fig. 3 shows a flow of IP 
header check process in the IP header check unit 11 of the 
gateway 1 shown in Fig. 1. 
[0052] 

The gateway 2 only filters IP addresses, so that IP 
addresses of the terminals 4 and 5 are registered in the 
gateway 2. While in the gateway 1, the IP addresses of the 
terminals 4 and 5 are registered to filter IP addresses. 
At the same time, the TTL initial value a "5" determined 
between the terminals 4 and 5, as well as "2" which is the 
maximum number of gateways through which a packet is 
supposed to pass, are stored in the validity check unit 21a 
of the gateway 1. 
[0053] 

First, a description will be given of the operation 
of the terminal 4 transmitting a communication packet to 
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the terminal 5 belonging to the same group. 
[0054] 

The terminal 4 sets the own IP address, the source IP 
address, to the IP address of the terminal 4, and sets the 
other side's IP address, the (transmission) destination IP 
address, to the IP address of the other side's terminal 5. 
The terminal 4 also sets the TTL to the initial value a "5" 
that is determined between the terminals 4 and 5 in the 
group, and transmits the communication packet to the branch 
LAN 6 . 
[0055] 

The transmitted packet is received by the gateway 2, 
The gateway 2 checks the IP header of the received packet. 
In this case, the source IP address is the registered 
address of the terminal 4, and the destination IP address 
is the registered address of the terminal 5. Thus, the 
gateway 2 determines that the packet is a normal packet. 
When determining the packet to be normal, the gateway 2 
sets the TTL to "4" as a new TTL value, which is obtained 
by subtracting "1" from the original TTL value "5". Then, 
the gateway 2 transmits the communication packet to the 
branch LAN 7 . 
[0056] 

The packet transmitted to the branch LAN 7 is further 
received by the gateway 1. The gateway 1 checks the IP 
header of the received packet by the IP check unit 11 
according to the flowchart shown in Fig. 3. 
[0057] 



24 



210300268US01 { JP-A No. H10-271154) 



When IP header check is started, the version of the 
IP is checked (step Sll) - When the version is detected to 
be abnormal, the packet is discarded by the packet discard 
processor 12 (step S17). When the version is detected to 
be normal in step Sll, other information of the IP header 
is checked (step S12). When the other information is 
detected to be abnormal, the process moves to step S17 to 
discard the packet . 
[0058] 

When the other information is detected to be normal 
in step 12, the TTL value is checked to determine whether 
the value is "0" or not (step S13) • When the TTL value is 
"0" in step S13, the TTL, namely, Time To Live has expired, 
and the packet is discarded in step S17. In this case, the 
TTL value is "4", so that the packet is determined to be 
normal in step S13. Then, the validity of the TTL value is 
checked by the validity check unit 21a of the TTL filtering 
unit 21 (step S14) . 
[0059] 

The validity check is performed based on whether the 
TTL value is equal to or less than the initial value a and 
exceeding the value p (the initial value minus the maximum 
number of gates) . When the TTL value is in this range, it 
is determined to be valid. 
[0060] 

In this case, the initial value a is "5", the value p 
(initial value minus the maximum number of gates) is "3" 
(=5—2), and the TTL value of the received packet is "4". 
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Thus, the received packet is determined to be normal. When 
the packet is determined to be normal in step S14, the IP 
address of the packet is checked by the IP address 
filtering unit 12 (step S15). When the packet is 
determined to be bad in step S14, the packet is discarded 
in step S17 . 
[0061] 

Because the source IP address of the received 
communication packet is the registered IP address of the 
terminal 4, as well as the destination IP address is the 
registered address of the terminal 5, the communication 
packet is determined to be a normal packet and is received 
by the gateway 1 (step S16) . The gateway 1 sets the TTL of 
the received packet to "3" obtained by subtracting "1" from 
"4", and transmits the communication packet to the branch 
LAN 8, The transmitted communication packet is received by 
the terminal 5 which is the destination terminal. 
[0062] 

Next, a description will be given of the operation of 
the terminal 3, which is not belonging to the relevant 
group, trying to illegally transmit a packet to the 
terminal 5 by pretending to be the terminal 4 not connected 
to the branch LAN 6. 
[0063] 

The terminal 3 sets the source IP address to the IP 
address of the terminal 4, and sets the destination IP 
address to the IP address of the destination terminal 5. 
Then the terminal 3 transmits the communication packet to 
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the branch LAN 6. However, in this case, because the 
terminal 3 does not belong to the logical group to which 
the destination terminal 5 belongs, the terminal 3 does not 
know the TTL initial value determined in the relevant group. 
For this reason, the terminal 3 sets the TTL to an 
arbitrary value of "32", and transmits the communication 
packet . 
[0064] 

The transmitted communication packet is received by 
the gateway 2. The gateway 2 checks the IP header of the 
received packet to filter the IP address. In this case, 
as the source IP address is the registered address of the 
terminal 4, and the destination IP address is the 
registered address of the terminal 5, the gateway 2 
determines that the IP address is normal. Thus, the 
gateway 2 sets the TTL to "31" obtained by subtracting "1" 
from "32", and transmits the communication packet to the 
branch LAN 7 - 
[0065] 

The packet transmitted to the branch LAN 7 is 
received by the gateway 1. The gateway 1 checks the IP 
header of the received packet by the IP header check unit 
11 according to the flowchart shown in Fig. 3. 
[0066] 

When IP header check is started, the version of the 
IP is checked in step Sll. When the version is detected to 
be abnormal, the process moves to step S17 and the packet 
is discarded by the packet discard processor 12. When the 



27 



210300268US01 (JP-A No. H10-271154) 



version is normal in step Sll, other information of the IP 
header is checked in step S12. When the other information 
of the IP header is detected to be abnormal, the packet is 
discarded in step S17. 
[0067] 

When the other information of the IP header is normal 
in step S12, the TTL value is checked to determine whether 
the value is "0" or not in step S13, The packet will be 
discarded if the TTL value is "0" in step S13- However, in 
this case, the TTL value is "31", so that it is determined 
to be normal in step S13. Then, the validity of the TTL 
value is checked in step S14. 
[0068] 

In the validity check in step S14, as described above, 
the initial value a is "5" and the value p {the initial 
value minus the maximum number of gateways through which 
the packet is supposed to pass) is "3" (=5-2), but the TTL 
value of the received communication packet is "31", Thus, 
the packet is determined to be abnormal, and the process 
moves to step S17 to discard the communication packet. 
[0069] 

As described above, with the filtering function based 
on the TTL in the IP header, it is possible to detect a bad 
packet, which is undetectable by IP address filtering, and 
discard the bad packet to increase the reliability in the 
illegal access prevention function of the terminal, 
[0070] 

Incidentally, in the embodiment of the present 
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invention described with reference to Figs. 1 to 3, 
filtering based on TTL information is used in combination 
with filtering based on IP address* However, it is also 
possible to combine with a MAC address filtering function 
by further providing means for performing filtering based 
on MAC address. 
[0071] 

[Advantages of the Invention] 

As described above, the illegal access prevention 
method and system according to the present invention, are 
used in a communication network including a plurality of 
branch networks connected by connecting devices, in which 
one or more logical groups are formed, to provide illegal 
access in the logical group- The illegal access prevention 
method and system set the initial value of the Time To Live 
information included in a communication packet at the time 
of the transmission, to a predetermined value as 
confidential information in the logical group set in 
advance in the communication network. The connecting 
device checks the validity of the Time To Live information 
of the communication packet passing therethrough, for the 
purpose of filtering of the packet passing in and out of 
the logical group. This allows filtering of the bad packet 
based on the Time To Live information which is an existing 
area of the packet . 

[0072] 

In other words, according to the present Invention, 
it is possible to provide the illegal access prevention 
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method and system that allow filtering of a bad packet 
based on an existing area of the packet, in order to 
effectively eliminate the bad packet without adding an area 
to the format of the packet. 

[Brief Description of the Drawings] 

[Fig, 1] Fig. 1 is a block diagram showing the 
configuration of the principal part of a gateway 
incorporating an illegal access prevention system according 
to an embodiment of the present invention, 

[Fig. 2] Fig. 2 is a block diagram showing the 
configuration of a network system using the gateway of Fig, 
1 . 

[Fig, 3] Fig. 3 is a flowchart showing the flow of IP 
header check in an IP header check unit of the gateway, 
which explains the operation of the system of Fig. 1, 

[Description of Symbols] 
1, 2: gateway 

3 to 5 : terminal (terminal device) 

6 to 8 : branch LAN (Local Area Network) 

11: IP (Internet Protocol) header check unit 

12: packet discard processor 

21: TTL (Time To Live) filtering unit 

21a: validity check unit 

21b: filtering processor 

22: IP address filtering unit 
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FIG. 1 
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FIG. 2 
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FIG. 3 
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[0 0 4 1 ] S-^tt^^y^|F|52 1 alt ffiff^^y h 
soailBftc I P^yy*IC*3tfSTTL'|f^iiS0f^(O^# 
SrSfJS: LT V > 5 d^jHcg-^V v-c , TTL [f^roSatt 
^fxy^ti. y Vy*«yffig52 l bit I&3 

y*/! — T'Wrt^ra-CCDilag^^y ht#U SStt^^ 
yyfflJ2 1 a corals' y-e*KK-3Wt, TTLtf^ 

[0 0 4 2] ±.mi*tz£?\d?—bVx.J liCjoltST 
TLffiflUSrMv^fc^^^ y ^y*-t?lt til^-7' 
|c*5V^T, ^.fey*7i — ^-e©TTL<73^fltSr^?&y ! 

{i^*x-^/-?^-y hasiffiBi-5its-a^«, fisj*.H:y- 
l-c, ^tb^TTL«^w«^»^aia^^M*^ 

— 1 ©g-Stt^yy-B^ 1 a ^^.*6S»LT 

*5< riti!), S^tt5="3iyyg]5 2 1 aft '<*y h 
ilii^cDTTL«fit^TTLcQ|)]ffiig^^ ttOWfit-ft 

fttLtSSttSrfiy^tS. TTLOffl[iS»«6fflrt 
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[0 0 4 3] I P7KV^7-f^!?iJy^2 2|i, I 

sy^— zf<D^t^h^wsm^^— ^cortfpoDT ki^ 
—coa« /■« y y hjo«t t>*^ 9£?&a y^- y co wa» £> & 

-ttUU^co I PT Kl^lf^Sr^-rSffl'ft^s' 
[0 0 4 4] m 1 IC^bfc^— h 1 grfflV^T^W/S 

m i coi£D^B^{rj;5 7^yi-^ y yyitg^tts^- 

TV**. 

[0 0 4 5] |H2('^-r^s' by — ^ v-X^i^fi, Jj|l 

3, I2ffl«*4, I3©S*5, Il©^iLAN 
6, i2©MLAN7*3J:tfl3K)MLAN8l:i 
SSI «0SB5fe3*5J:tJ«|g2©iH5|c4r4, W, 1 co 
MLAN 6 i^g-g-^^LTiot). IB 3 COS^c 5 3 CD 

m 2 <D^m~L an 7 1 &m 2 coy- h 2 tc j: 5 m 

£-£*UTi35, l2©JiLAN7tl3roMLAN 

8 ii±S&2©y— h7i^f 1 fcfc 9tt#3;ft/TV^. 

[0 0 4 6] Il*5j;tFl2(Oy" h!7^-Y l*3J;t>*2 
(4, ■eftftlf 2K)SiLAN7tl3tf)S:SLAN8 
fcro^ t5iO«IlWttLAN6i:l2(O^LAN 

[0 0 4 7] ^1 coy— I- ? W 1 f±. Ill 1 tc^Lfcr 
CO^B^{rS^S<iiff^S' hcO^/uy y is^mfe*^ 

fclfl/^j' hco^/t^ y y/i^tSrf Lt^5 0 
[0 0 4 8] ^2 coy— h ^-n± s ffijftcoy— t- -7^ 
I P7 K^lrl^tM/^y h©7-f^ 

9 y ^ySltEcD^^LTV^,, 

[0 0 4 9] 3&2©«3Mte£Ut!ll3©«*5#ra— y 
y&«j£ IS 1 coiffi^c 3 ii^Vu-y^coa^T-fo 

[0 0 5 0] :©i^, 0!l;tf4\ S^*4 ir^*5 tT* 

JHti&S: "5" i:RSEL-cv^1>©i1-5. g:*:a 

— h!>ai-r 1*3 J; t/2*sfiR5E-f-3fc* "2" * 
H^COlttJa, y— M7 = -f 1 ©*attf 1 *S'^SR2 1 a 

[0 0 5 1] y^-y^C0^3fe3tt, SS*4t«5fe5t 



CO y>— y W "9 ^tfc fc T T L CO^jjt^ t>frt> t£ ^ 
5S*3t11 TTLOWttS: "3 2" i:S£L 

fcir^cofil^, do«tT>*«*4^^LAN6 KSBIftL-C 
V^«CV^flg-C«S*3!9SSSi5te4S:K-3T, )S*4(DIP7 

fc»-^rol!)#iCOV->Ts i3t^f7D- y^r — l-3r# 
MbTt^Wi-Sc. 0 3|c^i-7D— y-r — M4> Ell CD 
y— h!7cr.^ 1 CO I P^y^fi y^BP 1 1 I 

[0 0 5 2] y— h ?^-f 2 i£f± I PT Y U^<D~7 ■<< 
9 y >-ycO^^rfT0fc46{-^4 fc^5fe5CO I PT KV 

^iriits. y— h^^-r na-x, ip7K^»7 

-f/u-^ y >-ycofcJb}c:C*4 co IP7K^ 

5fe4 tl%M5 tCOR]tf5l9SfcfcfcTTLCOl|0»!ffia 

"5" tft^ciiiiy- h-7^-fSfr "2" i^rtmscos^ 

1*y^^^§|3 2 1 a iCfStt 
[0 0 5 3] *i\ S^5|5 4^P-y/U-y^c0^5{r 

[0 0 5 4] SSS*4tis g^-co I 9« 
fn^c IVT Kl-'X, tc^^4co I PT KV^StISJEL. 
tB-^-co I PT KW^, G£ff5fc) IP7KU 

^{wtS^5fe^*5co I P7K^5rg£f5ti:|)t 1 

ttl KttStty^-T'iB-eifc <p »»fc?o»H6 a - 5 " 

So 

[o o 5 5] in-fs^tw^ys' y— h<?^2-? 

&m£frz>o y— M7^-r2« 4 iPA ? ^fx 7 i? 

t5„ y-h 17^^ 2(4, «fB7c I PT Kl"*4S»»3 
JlT^5S*4©7KV^Tfc9, 365feIP7K^iJS 
^$tLtV^iffi*5cOT Kl/^T*fc-5fc*, E#y?y 
yhi:*4t. E*^s»fi:*ftti, y— h^-Y 
2f4 s 7ccOTTLffiT*fc5 "5" jS^fe "1" ^^^y^. 
Lfc "4" S: jf 1 4TT LttLTTTLKtyhL 
T, Ift^^y >^§LAN7CilfBt5. 
[0 0 5 61 5«LAN7l'lf|J^fc/^?M±, $ 

btcy- N^^-r i-c§«$tL5 0 y-h^^-fit4, 
i PA^^'fi ^/ y i l tcfcv^T, Eisic^i-^D — 
y^— bfcfieoTi p^yycoyi^^^rtt 5» 

[0 0 5 7] I P — y I 

pco/^—y a vcoy^ ^ §rfTV> (^fy^si i) , 
2-e^y 5 ' h%mm-fz> Ut77s i 7) 0 ^5-7 

S11T% ^~/3 ^^jE^-efeofc«-g-t±, I P — y 
yco-tcoflfecoti?^ooy^5'^4r=fTV'« Ury/Sl 

ys 1 7ic^LT^y-7 h»s„ 

[0 0 5 8] y7S 1 2X"EtT"fcofcI^|;ll 
TTLOttf "0" -C*>5a»536»©y3Ly^S:fT5 
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T^ys 1 3) „ y^Ty^S 1 3|Cj3V^-C, TTL©fi 
*S "0" -T?fo-5»-^{Ctt, TTLtm^yM?-^ 

y h*M*-T-5o ~CD*-8i-f*. TTL^ffltt, "4" 
-C&5»T\ X^s/7°S 1 TT 
L7-f;^ y >^'g|5 2 1 <73S^tt^=i?'^^2 1 a T*T 

4) 0 

[0 0 5 9] S-^ttW^^n y^fi, TTLOTffisi^W* 
a^TT-JLo (Mtt-S^y- MR) jSSr^xTi/^ 
ri^^K: <£ <o fj o « t t l <z>ffias r cofgfflrt -c fc^tfs- 

[0 0 6 0] r 0>*-g\ ^Offlfll a it "5" , (iDWte- 
ft*^— h#) J3tt "3" (=5-2) flfL 
fc^y h(DTTL«fli "4" Tfe6fc46, iE^t^ 
ftgftS. ^s-ZS 1 4T3E^t^*$tuS IP 
T K^^7-f^i? y yy^l 2KX <0 I P7 Ki/^©f 
17^4:^5 (^fy/S 1 5) „ 7f 7/S 1 4T*^F 

[00 6 1] MLfcaHf/*** h©5S«5c IPTKv 
^tt^«S$tLTV>5iS^4(0 1 P7 K^f&5, £S5te 

i pt K^ttlSi$^tv^S*5©7 Ki^x-e&s 
fcft, H^yhi*ftU jM/<*? Hi, h 

!7^-f 1 J-gff (^f?7S16) „ y-M7^ 

-T 1B\ Sffbfc^-irj/ KDTTLC "4" "1" 
"3" Sr-fryhLT, fflff^s> b££ 
1LAN8 tSHSi" 5 0 Sft S frfcaff 3/ h f±*B^ 

[0 0 6 2] Si5fe4aS5&»LAN6(cSSK$*tT 

W*vv|fcliBT? % SK^yu— ^*|.«)ji3lE3as*i5l5 4t§So 

[0 0 6 3] S*3ti % BfSTEl PT K^^iCjig7te4cD 
I PT K^r^U 3&SfcI PT KU*|Ctt#$fejg5fc 
5©IP7K^%gtLT, aff^^y t-£3S&L A 
N 6 iCiUfS L;5»Lr©»S\ j*3fi 3 ffl^ft 
5 #It5*l^*-^* LTV^VMOTf, 

SS5fe3ii, jg^^ffitL-C "3 2" SrTT L 

[0 0 6 4] iUff * Htz.mn'<tr y V h !7 W 2 

tSfi T-p^-f 2B, IP7K^»7^ 
A-:? 1» l/?(DtLtb(D I P— y¥<n*f-=. -y?£fto&, m 
mit I PT KV;*353£^£;ft,TV^a£;fc4K>T K^t 
?S5fc I PT Kl^^.^S^t$tLTV''5SB5)S5 ©7 K 
W^-C*>Sfc», IP7K^llEtt*5t^t. 

y— h c^-r 2f4, "32" k "1" ^ 

h%5iLAN7tI»t5„ 



[0 0 6 5] Si»LAN7JCjS«Stufc^S' Mi^- 
lVsfll $tL6 0 y— h^x-C lfl IP^? 
lfCfcV^T, ll]3{C^-rTn— — h 

[0 0 6 6] I P — y^tO^aiy^jSSil^SjxSi:, * 
T^ s/ 7"S 1 IT'I P(D/*— Z?m XD^x. yy-£r?Tl\ ^< 

-v?3 5»frJ±, y/S 1 7(c#ffL 

y*S I2t, I P^y^^tDtew1i^£D5^yy-3rfT 

[ 0 0 6 7] T-ry/S 1 2 t\ I P^^^'CO^CDffiW 

L©ffi#: "o" t*thi>i>^St^^ ^vv-Jt'frbo * y- y 

"0" -CfcixHW-s' hSrBS*i-*as, T 
TL©I«S "3 1" T'&Sfc*, X^y^S 1 3-CiiIE 
StflSSH, ^fy^S 1 4t*TTL»IWiai4© 

[0 0 6 8] Xfy/S 1 4<D^^&.<D9-^-y^i^^ 
5fei-izB-^fc i 5 k^-mmmctiii "5" -^*>5, (^SB 

«-*^Cfiiay— hZ^m -efc§/3(4 "3" (=5 
-2) -CfcSas, SfiUfcM^ y h©TTL©Ili 

"3 1" T'feSfcift, RKfi:**S*i., ^fy^S 1 7 
Kit^y M4SS3I6 Six 5 o 

[0 0 6 9] ii^LfcJ: 5(-. I P^y^ftJ^K:*5»t<5 
TTLSrfUffibfc7-f/^ y I PT K 

hWU IULT, ^*»?FIET^-fe^iaihm 

[0 0 7 0] **5, m 1 ~S1 3-etftBJLfc - CO^P^WSI 
JfiCO^MtdjoV^Tfi, TTL'If^^fiJffiUfc^^yU^ y 
I P7 K^i;i5 7^;^ !) y^3rffit5 

y V^ma^frd^SSr^ftX^ MAC7K^7>f;i' 

[0 0 7 1] 

rt(dl£l.±co|tay^— ^MS^tlr^If^y h 
17— ^<D^^a^/V~ r/l^ttS^ET^-fexfcB&lk-f- 

^^^H#W'fffso^m«^, ^«>afB^y h7-7rt 

m-mtz* y foffiK.mmmm<D&m&&'f-x. y 
y-rz, r. t tc«t <o s mte.mmy"/\—z^<DMmx'(Dmm 

s<>r y YV>7j}V$ y >-^4rfT5„ Lfc^ 0 -c, 
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[0 0 7 2] -f" ^CD^B^iC itbtf, l-£> 

[urn z<D&m<nmm<Dj&Mic&z>^jET?~&xffijt 

[0 2] 



[113] 01 ©^^©ftfESrB&BH-Sfcfc, 

1, 2 ^b7x^f 

3-5 w*zm&) 

6~8 JlLAN (Local Area Network) 

11 IP (Internet Protocol) ^ y zc -y ? 

12 '<>ry hmmtikMM 

2 1 TTL (Time to Live) A-^ V 

2 1a SStt^y^W 

21b y v^atu 

2 2 I P7 KU^7-f/^ y V^'gP 
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